Enterprises Security Choices and Tradeoffs for BYOD

Bring Your Own Devices (BYOD) continues to gain momentum as users bring devices into work environments by the droves.  Enterprises must make tricky security decisions to balance the tradeoffs of costs, user productivity, and security. 

BYOD is effecting organizations both large and small.  In our highly connected world, workers bring in familiar and favored smartphones, tablets, and other compute devices into work and expect to leverage them for convenience and to improve productivity.  It can have a great positive effect on the business but also raises security concerns.  Management can’t hide from taking a position, establishing boundaries, and understanding the tradeoffs. 

Enterprise Factors.jpgIn today’s responsible corporate environment, enterprises realize the danger of uncontrolled devices on their network and accessing business data.  It introduces chaos to security and IT manageability, driving up risks and expenses.  Organizations want to enable productivity of employees but must maintain a level of acceptable risks and keep costs flat, or at the very least justifiable.  It is a tough balancing act between risks, costs, and user productivity.

Management has a number of high level choices, each with pro/cons and other tradeoffs.  Before committing to a particular path, leaders must understand these options in order to select the best direction to set for their organization:

1. No personal devices allowed.  Forbid personal smartphones, tablets, and non-managed computers from accessing work systems, networks, and data.
Pro: This stratagem manages security risks and keeps costs relatively flat.  It has been the traditional solution. 
Con: Not practical for 99.9% of the world.  It’s like trying to hold back a tidal wave with a paper cup.  Workers, starting with the tech savvy, will bring in devices and connect them, soon to be followed by the rest of the staff.  Most likely they and the less technical community has already been doing this for some time.  It starts with email forwarding, access to work calendars, meeting logistics, file sharing, instant messaging, etc.  Implementing such a policy ignores the opportunity for significant worker productivity gains and stifles flexibility which is so desired by everyone.  When employees have convenient access to such data, they are more effective, efficient, and happy.

2. Company provides mobile devices.  Providing corporate managed devices in lieu of employees’ personal devices, allows vetting of systems before they access work networks and data.
Pro: Security standards, selective deployment, and the ability to enforce controls, allows the organization to manage risks and costs. 
Con: Upfront expenses are high, user happiness tends to be low, and manageability costs slowly creeps up over time.  The out-of-pocket equipment and service costs can be very expensive.  To control costs, most organizations will not provide everyone a company device.  So there emerges a “have” and “have-not’s” class system which spawns resentment.  Those who are provided devices must manage their personal devices in addition to the company provided ones.  If you have ever been forced to carry two phones, you know how much of a pain this becomes. 

Even in a perfect environment with happy users, a different problem emerges.  The comingling of personal and private data on employer managed devices.  This can be a nightmare, fraught with legal and ethical pitfalls.  

Each class, brand, and even model must be configured and secured.  IT departments must support users trying to access services and data.  The more types of devices, the more complex and expensive the support becomes.  One of the keys to managing support costs is scalability.  So, it is normal for an organization to settle on one or two to start.  Which will not make everyone happy as people have their own preferences.  Demand can grow to expand the list of supported configurations, especially as new options become available in the marketplace.  Expanded support is great for users, but a nightmare for IT as it increases the legacy support of older configurations which are still in use.  Over time the cost to support will steadily increase and the cost of refreshing old and damaged devices will be ever present.

From a productivity perspective, users get an initial boost from the latest equipment and software, but will soon see a degradation as the organization cannot keep up with the latest features coming to market.   

3. BYOD of Any Device. All devices welcome with open arms!  Users are able to bring in, connect, and use their favorite devices.  Security controls are usually network based or via containerization technology on the device itself. 
Pro: Initial hardware costs are very low for the organization, as the user absorbs initial out-of-pocket costs for the device.  Productivity remains high, as users will continually install latest applications and refresh to current hardware as they see fit.
Con: Expensive to manage and secure.  Costs skyrocket to provide and maintain security controls and connectivity support over a wide swath of different devices and applications.  Security solutions, many with a high per-seat cost, is required. Not all devices are created or configured equally, adding to the cost and frustration of IT and security departments.  The expenses continue to increase and never plateau as users follow the non-stop march of evolving technology, applications, and shiny devices

Challenges with co-mingling of users private data with enterprise oversight can still persist depending upon controls and access configurations

4. BYOD of Certain Devices. The middle ground, allowing users to front the initial costs and enterprises can focus on security and management of a much smaller subset of devices.  Network, cloud, and device containerization technology provide security. 
Pro: Low initial costs as users purchase the devices.  It is a flexible model where the optimal balance of cost, productivity, and security can be adjusted as needed.
Con: Still costly, as the enterprise must invest in security solutions for allowed devices, but policy will limit the number of configurations and therefore help keep costs and risks more manageable.  As new devices are supported costs will rise due to legacy support and other complexities.  Security is managed based upon the vetting and controls mandated for approved configurations.
Productivity varies based upon the breadth and timeliness of support for new technologies.  Satisfaction and productivity also follow this curve.  The more devices and applications supported in a timely manner, the happier and more productive the users, but the costs skyrocket accordingly.

Sadly, the pesky problem of data comingling is still present. 

There is no universal winning choice.  It really depends on the organization, risk appetite, budget, worker productivity needs, and the sway of the most vocal users.  A very small number of organizations can disallow all personal devices, mostly government types.  Only companies willing to spend a tremendous amount of money on hardware or those which already have a strong caste systems to support a limited distribution will be interested in providing workers with such devices in addition to primary work PC’s.  Organizations which have little need for confidentiality, integrity, and availability aspects of security might be able to live with openly connecting any BYOD their users may bring into the office.  Although a significant number of organizations may try to dabble in this area before realizing the rapidly growing support costs and security issues before changing to a different strategy.  In the end, I believe the majority of organizations will choose to embrace the last option of supporting only certain BYOD devices.  They will select a mix of devices, software, and controls which satisfy a broad community while keeping costs and risks predictable.  This is no small feat as these solutions are not yet mature. 

Every organization must find their own path.  They must consider the options and tradeoffs of costs, productivity, and risk.  No perfect solution exists, but with forethought, collaboration with users, and solid execution, a manageable solution might be within grasp.

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.